A famous Homeland episode involved a terrorist gaining access to the Vice-President’s pacemaker. Accessing medical devices to wreak havoc was one of the motivations behind certain provisions of the Digital Millennium Copyright Act (aka the DMCA). The DMCA makes it “illegal to circumvent technological measures used to prevent unauthorized access to copyrighted works.” Section 1201 of the DMCA allows for exemptions to be made every three years. Recently, a number of exemptions were adopted to the DMCA’s anti-circumvention statute for numerous technologies, including personal medical devices. Although the exemptions went into effect on October 28, 2015, there were stipulations that delayed implementation until very recently. A number of safeguards remain in place, but safeguards to protect cybercrime in the healthcare context remain compelling.
What does this mean for patients who are using portable medical devices?
The exemption removes the barrier for researchers to set-up controlled experiments that can aim to improve potential vulnerabilities in the security of these devices. The exemption relates to researching medical devices and reads as follows: “Literary works consisting of compilations of data generated by medical devices that are wholly or partially implanted in the body or by their corresponding personal monitoring systems, where such circumvention is undertaken by a patient for the sole purpose of lawfully accessing the data generated by his or her own device or monitoring system.” In order to conduct research using this type of data, the research environment must meet certain criteria. Those criteria include the following: (1) the computer program, or any devices on which the programs run, must be “lawfully acquired,” (2) during the research, the device or computer program should operate “solely for the purpose of good-faith security research,” and (3) the research must not have begun before October 28, 2016.
How does this open up the field for more research opportunities?
The exemption rule allows for “good-faith research” which is defined as “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.” What this means in the real world is that security researchers can, in a controlled manner and environment, access medical devices to search for vulnerabilities so that vulnerable software can be quickly patched. The exemption allows for researchers to publicly talk about and share details of their vulnerability research without facing legal repercussions.
Why do we need this type of research?
A cybercrime-wave impacted the healthcare sector in 2016. According to TrapX there was 63% year over year growth in attacks against the healthcare sector. Many of these cyber intrusions leveraged back-doors into medical devices like X-ray machines and blood gas analyzers. These devices are vulnerable to compromise as they lack the memory space necessary for cybersecurity software and are rarely updated. The dramatic ransomware attack against Medstar which crippled their hospitals’ networks underscored the defenselessness of the sector. The culture of the healthcare sector has been to adopt technology with minimal regard to the cybersecurity of those networks. The cybercrime community took note in 2016, and the ransomware attacks against the healthcare sector served as a canary in the coal mine. The vulnerability of medical devices poses a systemic risk to the sector’s digital health.
Historically, medical device manufacturers have been resistant to allow outside security experts to look at their code for fear that flaws in their software will be revealed and expose them to regulatory scrutiny or lawsuits. More recently, some of the larger medical device manufacturers (e.g. Philips and Dräger) have published a coordinated vulnerability disclosure policy, which essentially invites researchers to look for software flaws in their devices, as well as a public statement about of how the companies will handle reported vulnerabilities. For device manufacturers it is important to note that the FDA is encouraging this type of research to increase patient safety and reduce cybersecurity threats.
Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures for the Center for Devices and Radiological Health, a division of the FDA, stated that “The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices.” On December 29, 2016 the FDA issued the final guidance “Postmarket Management of Cybersecurity in Medical Devices”. What this means is the device manufacturers may need to report post-market modifications to devices already in the field related to cybersecurity to the FDA (pursuant to Part 806 of the Food, Drug & Cosmetic Act (for device manufacturers this reporting relates to compliance with the quality system regulations)). Device manufacturers need to take into account security considerations through a product’s entire lifecycle, starting with its development to ensure proper performance and functionality if a hospital’s network is hacked. The FDA indicated that most routine updates or patches will not trigger a reporting responsibility, but the guidance leaves open the possibility that changes made to prevent or fix cybersecurity vulnerabilities will trigger reporting. As a result of this guidance, it is important for manufacturers to coordinate their cybersecurity efforts. This relatively new exemption can help foster that dialogue and introduce research into vulnerabilities to reduce the threat of future cyber-attacks on critical medical devices used by patients. In 2017, an individual’s physical well-being is going to dependent on the digital health of medical devices.
What Proactive Risk Management Steps Can Be Taken in 2017 to Increase Security?
Listed below are some proactive steps that medical device manufacturers can take to decrease the risk of cybersecurity vulnerabilities and attacks. With the advent of new research into cybersecurity, the hope is that additional technology improvements will take place to allow for even further safety and evolution of security for medical devices.
Proactive Risk Management for 2017
- Require regular penetration tests of medical devices and networks which develop and utilize them.
- Deploy a DeceptionGrid.
- Deploy User Entity Behavior Analytics
- Deploy two factor authentication (e.g. Biometrics) with contextual verification.
- Integrate Intrusion protection systems with breach detection systems.
Source: Strategic Cyber Ventures 2017